Hope you’re doing well. Currently I am facing an issue with PCI compliance, because we are using a 3rd party fintech API to handle our payment processing. We are sending user input in an API call to connect a credit card, and other sensitive info. However, in the logs we can look at the API requests and see the user input as plain text (not encrypted).
What does this mean? Well, we spoke with a security expert today and they informed us that being able to see this information means we are not PCI compliant.
PCI Fines are in the thousands, or even tens of thousands of dollars …
Ouch. I couldn’t find a way to encrypt this in the API connector. What I’ll probably do is create a custom plugin to handle these API calls (so they aren’t accessible in the servers logs. I can’t actually confirm this will work, but I’ll try later)
Does anyone have any advice here?
Much appreciated!
to clarify:I don’t want the logs to go away, but when I see an API call that is connecting a user’s credit card I should not be able to have their credit card displayed on my screen. It should be encrypted.
Can you encrypt the data before sending it in to the 3rd party fintech API and have some pre determined method for them to decrypt and use the data? I am curious if you find good solutions for this because I would like to know the answer as well. Also, the only person with access to the server logs would be a site admin like yourself. Is that still considered to not be PCI compliant. No one else can log in to your bubble site and look at the logs.
I guess I could ask the 3rd party… but that’s like me asking Stripe to implement something
The likelyhood that they even pickup my call is small. Yup, according to the expert (certified and everything - real professional) if anyone (including admins) can snoop on unencrypted credit card information or unencrypted social security information (yeah, we’re dealing with that too here) through the server logs, then its 100% not PCI compliant
The easy and obvious solution here is server side log encryption (which could be toggled by the developer) kind of like privacy rules.
Hi, @jonah.deleseleuc !
I’m implementing something similar, but the API I’m using returns a token that refers to the customer’s credit card data, and they are responsible for storing the data.
My concern point is how to send this data for the first time in the API call before having the token related to the same card.
Although the information sent to the API call appears in the debug flow, the connection to the endpoint is fully encrypted by SSL, which prevents onlookers from viewing the information sent to obtain the token.
Now, if you want not even you to be able to view this information, my suggestion:
Create a table with customer credit card fields (such as name, number, CVV…);
Enable the privacy rule only for that table, so that when it is not empty, no one can view the data, not even the current user;
Collect the data in a form and save it in the table you created;
Make the call flow with the data from this table and, at the end of the call, order Bubble to delete the data from the table.
This way, no one will be able to see the customer’s credit card data at any time, unless they have access to the form (which would be another problem).
I don’t remember if Stripe has card tokenization, but it certainly has some feature that removes the need to store information in Bubble’s database.
Unfortunately PCI compliance means you’re not allowed to store that kind of data, even if it’s for a second. You could imagine the consequences if this workflow would fail to delete the records even 0.5% of the time.
Looks like I don’t have a choice - I have to create some client side API calls.
I agree with you, there is no easy way to fix this. The solution would be if there was a way to encrypt the data in the workflow in the same way as it is done with the database, that is, making it impossible to see it in the log, but not being necessary to configure a unique encryption between you and Stripe. Maybe there is, I don’t know.
Your 3rd party fintech API should have a client-side-only bit of code or integration that enables saving credit card data without passing it through a workflow in Bubble. (sometimes called “tokenizing” it). That bit of code would return the secure token, which you could use in your workflows to run payments.
Basically every internet-savvy payments company has that - if the one you’re using doesn’t have something like that, I’d suggest finding a different payment provider.
Example: Stripe.js does this using the public key and returning a payment source which can be used to run payments.
Yup, the service I am using has one too. What I’m worried about is performance. I’ve got a Plaid Link happening on the same page and my page is heavy overall. I don’t want to add another JS library to the page just for that. I ended up making a client-side action that does the API call. But normally I would do exactly as you suggest (on a regular page)
Also, just a side note: in 2025 the new PCI compliance guidelines will come into effect which will require you to write a written justification for every external script you load in the header of the page. That’s another reason why I don’t want use more JS libraries: more headache!
Identify and list all bespoke and custom software. Requirement 6.3.2 specifies that in order to manage vulnerabilities and patches, entities are now required to identify and list all of their bespoke and custom software, including any third-party software that has been incorporated into the organization’s bespoke and custom software. The inventory should cover all “payment software components and dependencies, including supported execution platforms or environments, third-party libraries, services, and other required functionalities.”
This along with some other new requirements will be mandated by 2025. Read the article below for more info.
When linking credit cards through an API service and in order to meet compliance, you must process the request using a client side API call. In my case, I had to create the API call using code in a plug-in because no plug-in exists for my api service yet. As far as I can tell you cannot force an api call to happen on the client side (which I understand because a lot of people would probably put their api keys in there not knowing that you’re exposing it to the client side)
In short there either needs to be a plug-in or you have to make your own
(on a regular page)